Even if you can verify your program is a bug-free implementation of your specifications, how do you verify your specifications?

And how do you account for electrical or mechanical "bugs"? Such as sensors not working correctly, cosmic rays (SEUs, etc), mechanical elements failing, and such.

And then what do you do when the needs (specifications) change? Often times, it seems like people assume the specs will never change; one of the things I like best about agile development is that they assume the specs will change. Automated test suites can help (regression testing), but with real world systems that's harder.

There's a reason I like hard-wired (NO SOFTWARE!) E-Stop or EMO systems.

"But it still doesn't prove the widget will do what you actually wanted it to do - only that the two models do the same thing under a (hopefully) more exhaustive set of conditions" -- well, sort of.

It is true that you have to be able to explain in logic what you want the system to do, and the need for such specifications has often been held out as a reason that formal methods can never work. However, I think that's just sour grapes from the days when formal methods were *really* impractical twenty years ago. Not that long ago we *couldn't* actually prove significant systems correct, and so we convinced ourselves that even if we could we would never be able to figure out what properties we wanted proven correct anyway -- just like the fox and the grapes. In practice, I think people often overestimate how troublesome it is to produce a logical statement of the desired behavior vs. implementation.

Consider as a trivial example a sorting routine. The output is supposed to be a permutation of the input in which no element is larger than the next (or smaller than the next depending on sort direction). This is very compact to express in logic -- but there are dozens and dozens of algorithms that will do it, and expressing most of them is substantially more complicated than the correctness condition.

That said, doing things like producing the formal semantics for C to permit the statement of the correctness condition for CompCert was certainly a huge effort, and I don't want to claim that it is not a significant effort in many cases to produce a good statement in formal logic. What I'm trying to claim is that this problem is not, in fact, insurmountable.

Indeed, producing statements about correctness constraints in a safety critical system is often quite straightforward. In particular, the control problem described by the original article has safety conditions that are likely quite compactly described.

Languages like Haskell are very cool things, but they're not per se ways of producing formally verified code. To do that, you need to produce a statement of what your program is supposed to do in formal logic and then demonstrate that your program actually does it with something like a proof assistant -- not something Haskell or Spark ADA are designed for. That said, Haskell was used to produce the executable model against which the C code used in the seL4 project was validated.

The path to understanding how to use the tool for purposes like this is not, unfortunately, easy. Good examples of projects that have been formally verified using Coq would include CompCert (publications: http://compcert.inria.fr/publi.html ) and Quark ( http://goto.ucsd.edu/quark/ ) -- looking at them may give you some hint of what is possible and how difficult it might be.

Benjamin Pierce's "Software Foundations" ( http://www.cis.upenn.edu/~bcpierce/sf/ ) is probably a good place to get some background while simultaneously learning a bit of Coq. The book Certified Programming with Dependent Types ( http://adam.chlipala.net/cpdt/ ) intends to teach one specifically how to use Coq to write verified programs, but I caution it is not easy going. There is also a book on Coq itself called CoqArt ( http://www.labri.fr/perso/casteran/CoqArt/index.html ) that is not bad.

If this all makes it sound like this is Not An Easy Thing To Learn, that's because it isn't. The state of the art has advanced dramatically in 20 years, from the point where contemplating proving something as big as a compiler correct was impossible to the point where it is feasible for very dedicated PhD students to work on such a thing. However, productizing the work of the innovators in this field is something that has not yet happened. Documentation is sketchy, tools are difficult to use, and the level of complexity remains very high.

That said, it is in fact now feasible for smart people to do this stuff, and the result of formally verified programs is true assurance of correctness.

It requires the use of technologies people are generally not familiarized with, such as proof assistants -- prominent examples are Coq, Isabelle/HOL, and ACL2.

FWIW I did a google search and came up with this book which looks like one place to start. As you say all the references look highly theoretical. Do you know of any practical courses on the subject (perhaps even at EE Live!).

"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." --Brian Kernighan

Now, add a complex physical system interacting with the code under test and things become even worse... My first reaction is that you can "asymptotically" check the code of a system such as the one you describe, but the coverage will never be perfect -- no matter if you do it by hand or using an automated tool.